From: MARASCO, JOSEPH D. (CD) (FBI) <JDMARASCO@fbi.sgov.gov> 


Sent: Thursday, September 22, 2016 10:23 AM 

To: AUTEN, BRIAN J. (CD) (FBI) <BJAUTEN@fbi.sgov.gov>; PIENTKA, JOE (WF) 
(FBI) <JPIENTKA@fbi.sgov.gov> 

Subject: FW: Analysis of Trump White Paper --- UNCLASSIFIED//FOUO 

Attach: Analysis of Trump server white paper.docx 


Classification: UNCLASSIFIED//FOUO 


Gents...FYI... 


From: TODD, PHILIP H. (CD) (FBI) 

Sent: Thursday, September 22, 2016 8:09 AM 

To: MARASCO, JOSEPH D. (CD) (FBI) 

Subject: FW: Analysis of Trump White Paper --- UNCLASSIFIED//FOUO 


Classification: UNCLASSIFIED//FOUO 


Special project: 


On or about 9/16/16 Chief Division Counsel Baker provided Joe Pientka with 2 thumb drives and identified 
that they were given to him by the DNC (unknown). The special project provided the thumb drives to CYD 
who broke down the contents. The information on the drives indicates that a number of email addresses, 
with the word TRUMP in them, that CYD identified belong to the Trump campaign (attached white paper), are 
connecting to Alpha Bank in Moscow via a server of a health care provider in the Midwest. It appears the 
health care provider is unwitting. CYD has identified that they will not open a CYD case on this. CG was asked 
to take this and open a case, which they did on 9/21/16 as a 105H to investigate. CG plans to be in touch with 
the health care provider and gain their consent and attempt to install FBI devises on the server to collect these 
communications. CD-1 understands from the special project team, at this point, this is not a FISA issue, since 
the health care provider has not agreed to these communications traveling through their server (if CG gains 
consent). CG will be not be identifying the specific actors of this action to the health care provider but will 
pretend that a similar action in the past by the Chinese to this same company, is happening again. 


The DNC person that provided these thumb drives stated to Baker that he/she was going to release the 
information concerning the Trump server, and direct contact with the Russians through Alpha Bank in 
Moscow, to the press on Friday, 9/23/16, prior to the upcoming Trump / Clinton debate this weekend. 


<<... >> 


From: NORWAT, BRANDON H. (CD) (FBI) 

Sent: Wednesday, September 21, 2016 5:12 PM 

To: TODD, PHILIP H. (CD) (FBI) 

Subject: FW: Analysis of Trump White Paper --- UNCLASSIFIED//FOUO 


FBI-DWS-01-0000939 


SCO_FBIPROD_005423 
SCO-020088 


No. 1:21-cr-00582-CRC (D.D.C.) DX-519_0001 


Classification: UNCLASSIFIED//FOUO 


Just trying to keep you updated in the email chain. 
Brandon Norwat, Unit Chief 
Counterintelligence Division 

Cyber CI Coordination Section (C38) 
C3S-Eurasia 

FBIHQ/ Mission Ridge, Rm 430 


703-633-5668 (0) 


CEIED-7792 (C) 


From: HEIDE, CURTIS A. (CG) (FBI) 

Sent: Wednesday, September 21, 2016 5:02 PM 

To: BATTY, NC. (CYD) (FBI); HUBIAK, JOSHUA J. (PH) (FBI) 

Cc: WIERZBICKI, DANIEL S. (CG) (FBI); COTELLESSE, GERALD S. (PH) (FBI); STRANAHAN, TIMOTHY (CE) (FBI); 
NORWAT, BRANDON H. (CD) (FBI); HELLMAN, SCOTT J. (CYD) (FBI); SANDS, ALLISON (CG) (FBI); PIENTKA, JOE (WF) 
(FBI) 

Subject: RE: Analysis of Trump White Paper --- UNCLASSIFIED//FOUO 


Classification: UNCLASSIFIED//FOUO 


OK excellent. Thanks Nate. 


Per a few conversations with CD today, CG will be opening a 105H case to address the Cl concerns in this 
report, given that it happens to dovetail with another investigation of similar interest. SA Allison Sands will be 
the Case Agent in CG. In the event that we identify any Russian malware or anything else indicating that there 
could be a cyber intrusion related to this, then we'll definitely re-engage Philly/ECOU to keep coordinating 
efforts on this. 


That being said, could we get a copy of the thumb drives to take a look at what’s on them? Either through 
OPWAN or have the originals sent here for Allison’s review as well? Also, any additional insight or thoughts on 
this would be welcomed. 


Hit me up with any questions, and the help is very much appreciated on this end. 


Curtis 


REDACTED -8432 
From: BATTY, N C. (CYD) (FBI) 


Sent: Wednesday, September 21, 2016 3:46 PM 


FBI-DWS-01-0000940 


SCO_FBIPROD_005424 
SCO-020089 


No. 1:21-cr-00582-CRC (D.D.C.) DX-519_0002 


To: HUBIAK, JOSHUA J. (PH) (FBI); HEIDE, CURTIS A. (CG) (FBI) 

Cc: WIERZBICKI, DANIEL S. (CG) (FBI); COTELLESSE, GERALD S. (PH) (FBI); STRANAHAN, TIMOTHY (CE) (FBI); 
NORWAT, BRANDON H. (CD) (FBI); HELLMAN, SCOTT J. (CYD) (FBI) 

Subject: Analysis of Trump White Paper --- UNCLASSIFIED//FOUO 


Classification: UNCLASSIFIED//FOUO 


Josh, Curtis, by way of update, 


CG (Curtis Heide) just called to inquire about ECOU 1’s involvement in the Trump matter you and | discussed 
yesterday. Curtis has been working (TDY) the election issues and has been called back by CD to work matters 
related to this white paper. CG had a copy of the white paper | forwarded to you from CD channels, and was 
inquiring as to whether ECOU 1 had any logs or other data from the referenced server. 


| communicated to Curtis that we (CyD) haven't opened a case yet, and based on the information we know, 
ECOU 1 does not have an equity in this issue, as we do not see an intrusion nexus, and we assess the 
information to point primarily to a CD issue (as you mentioned, this could also be a public corruption issue). 
Therefore, ECOU 1 doesn’t intend to open a case unless requested specifically by CD that we do soina 
supporting role. 


Curtis advised CG would be opening a CD case (105....z or other), in-line with Curtis’ assignment on the 
‘special’. | affirmed that ECOU doesn’t have an equity in the issue for now, and that which field office opens 
the case is a CD matter as far as we are concerned. 


I told Curtis that CyD is ready and willing to assist in any way, and we were glad to open a case if requested. | 
also told him | had sent the white paper to PH, PH had reviewed it, also felt that CyD would open a case only 
as requested in a supporting role, and offered to open a CyD case if requested. 


Curtis, Josh is A/SSA for PH’s cyber squad. PH is ready and willing to assist as needed. Also, could you let me 
know what you’d like done with these (2) thumb drives? We have a chain of custody from their receipt by FBI 
General Counsel James Baker. 

A/AD Sporre asked us to evaluate this for cyber equities, and to provide a assessment from a cyber 
perspective. Below is ECOU 1’s assessment of the white paper and supporting documentation provided to us 
by CyD A/AD Sporre on 9/20/2016. 

V/R 


Nate 


<< File: Analysis of Trump server white paper.docx >> 


Classification: UNCLASSIFIED//FOUO 


Classification: UNCLASSIFIED//FOUO 


FBI-DWS-01-0000941 


SCO_FBIPROD_005425 
SCO-020090 


No. 1:21-cr-00582-CRC (D.D.C.) DX-519_0003 


Q 


lassification: 


INCLASSIFIED//FOUO 


Q 


lassification: 


UNCLASSIFIED//FOUO 


Q 


lassification: 


UNCLASSIFIED//FOUO 


No. 1:21-cr-00582-CRC (D.D.C.) 


FBI-DWS-01-0000942 


SCO_FBIPROD_005426 
SCO-020091 


DX-519_0004 


UNCLASSIFIED//FOUO 


Assessment of the provided white paper and supporting documentation on (2) thumb drives. 


SUMMARY — ECOU 1 assess there is no CyD equity in this report and that the research conducted in the 
report reveals some questionable investigative steps taken and conclusions drawn. This opinion is drawn 
from the following observations: 


The investigators who conducted the research appear to have done the following: 


1. Searched, via publically available information, for every internet domain (a “domain” is 
“abc.com”) that had the word “Trump” in it. 

2. Scrubbed that list of those domains for the words “mail”, “smtp”, “relay”, or “mta”. Filtering on 
these key words would provide possibilities of mail servers. 

a. For any given domain name (“abc.com”), there could be an e-mail server that provides 
e-mail services to the domain. This service allows the owner of “abc.com” to have e-mail 
addresses such as “johndoe@abc.com”, etc). E-mail servers have a domain name of 
their own, and commonly, those domain names could be something like 
“mail.abc.com”, or “mail1.abc.com”, etc. 

b. These steps are a very round-about way to identify mail servers associated with 
domains. A more standard process would be to look up a domain such as “trump- 
email.com”, and then search for attending mail servers to trump-email.com. However, 
this standard process would not reveal mail1.trump-email.com (because mail1.trump- 
email.com isn't registered as the mail server for trump-email.com). Furthermore, if one 
were to only be looking for hidden mail servers, it is unlikely one would search for 
Donald Trump’s hidden mail servers by searching for mail servers with the name 
“trump” and “mail” included in them. Therefore, these two search steps could indicate 
the investigator already knew of the domain “mail1.trump-email.com”, and conducted 
these searches to reverse-support their knowledge. 

3. Results from steps 1 and 2 are stated in the research paper to yield 537 domains. These results 
were filtered by domains that were “...registered by the Trump organization...”, which yielded 
15 results. 

a. Registration by the Trump organization appears to have been confirmed via whois 
lookups. This is a reliable source, but should not be deemed definitive without 
confirmation through formal legal process. 

b. One of these 15 results was the domain “mail1.trump-email.com”. 

4. The next steps the investigator took were: 

a. Attempted to communicate with mail1.trump-email.com over port 25 (a mail 
submission port), and received an error message indicating the server did not accept 
communications over port 25 from the investigator’s IP address (not definitive whether 
the server would receive communication from others, or even many others). 

b. Searched “...global nonpublic DNS activity...” (unclear how this was done) and 
discovered there are (4) primary IP addresses that have resolved the name 


UNCLASSIFIED//FOUO 


FBI-DWS-01-0000943 


SCO_FBIPROD_005427 
SCO-020092 


No. 1:21-cr-00582-CRC (D.D.C.) DX-519_0005 


UNCLASSIFIED//FOUO 


“maill.trump-email.com”. Two of these belong to DNS servers at Russian Alfa Bank. 
[When computer A wants to communicate with computer B, computer A must know 
computer B’s IP address. In order to learn computer B’s IP address, computer A 
conducts a DNS lookup, which essentially is a public inquiry, asking “Hello world, what is 
the IP address for mail1.trump-email.com?” The investigator's research indicates, over 
the period May 4 2016 — Sept 4 2016, two of Alfa Bank's DNS resolvers, asked the world 
614 times what mail1.trump-email.com’s IP address was, presumably so it (a computer 
at Alfa Bank) could communicate with maill.trump-email.com. Two other IPs also 
conducted a statistically significant number of DNS lookups for email1.trump-email.com. 
c. Provided the identities of numerous dubious persons associated with Alfa Bank. 

5. From the steps in # 4 above, the investigator seems to have concluded the following, which may 

or may not be true: 
a. That maill.trump-email.com is in fact a mail server and is owned by a Trump 
organization; this conclusion seems based off of: 
i. The whois record 
ii. The name “mail1” included in the domain name (though you can name a 
domain anything you want; the domain name “i.am.an.email.server.trump.com” 
is not necessarily an e-mail server for trump.com) 
iii. That maill.trump-email.com is responsive (though with an error message) to 
standard e-mail receiving port 25 
b. That maill.trump-email.com is “secret”, or obfuscated from the general public, because: 
i. The Russian computers must be configured specially to talk directly to 
mail1.trump-email.com (because you cannot find mail1.trump-email.com via a 
standard MX (mail server) lookup of trump-email.com). 

c. That the [presumed] e-mail server is set up specifically to only communicate to 
designated IP addresses (though there is no substantiation that mail1.trump-email.com 
communicates with any IPs at all). 

d. That the Russian computers have actually communicated with mail1.trump-email.com 
(though there is only information indicating the Russian computers have asked what 
mail1.trump-email.com’s IP address is). 

e. That there is no plausible reason why these communications would occur excepting for 
illegitimate reasons. This is because a server (such as mail1.trump-email.com) would 
never be found by somebody trying to send mail directly to the trump-email.com 
domain. A person would have to expressly search for the obscure name “mail1.trump- 
email.com” to find it. Therefore the Russian computers have been specially configured 
to communicate directly to “mail1.trump-email.com”. 

f. The communication between mail1.trump-email.com is between the Trump 
organization and bad actors working at Alfa Bank or associated with Alfa Bank. 


UNCLASSIFIED//FOUO 


FBI-DWS-01-0000944 
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UNCLASSIFIED//FOUO 


In conclusion, ECOU 1 suggests there is currently no cyber intrusion component in this case and that the 
report provided contains questionable methods and intentions. Based on the information provided, it 
also remains a possibility that the report was fabricated. If the domain maill.trump-email.com were 
discovered by researchers, a computer at Alfa Bank could be configured to conduct multiple DNS 
inquiries to create the appearance that a Russian bank is communicating exclusively with the domain 
mail1.trump-email.com. Furthermore, it appears suspicious that the presumed suspicious activity began 
approximately three weeks prior to the stated start of the investigation conducted by the researcher. 


Finally, it appears abnormal that a presidential candidate, who wanted to conduct secret 
correspondence with the Russian government (or a Russian bank), would (1) name his secret server 
“mail1.trump-email.com”, (2) use a domain (trump-email.com) registered to his own organization, and 
then (3) communicate directly to the Russian bank’s IP address (as opposed to using TOR or proxy 
servers). ECOU 1 also assesses Russian state-sponsored technical sophistication to exceed the OpsSec of 
that suggested in the report. 


UNCLASSIFIED//FOUO 
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